> If it wasn’t clear, the reason why I am back at fighting for this > after taking a break for a few months, is based on the recent positive > experience from the Twitter migration. To me, it completely voids the > arguments that normalization on the client side is too hard.
I wholeheartedly disagree with this statement. OAuth 1.0(a) libraries have been around for a few years, and are now available on most every platform. The bugs have already been ironed out, and that wasn't easy to do. Even so, it can still be tricky to get client libraries to behave in some frameworks, and the biggest problem is the fact that the server has to guess what the client thought it signed when trying to build the signature. I think that any signature method that we end up using needs to rely less on magic and anecdote and more on explicit declaration. I think that Brian Eaton's approach of sending the bare string that was signed, which was also a JSON element that could be parsed and validated, was an essential simplification. Even OpenID states which of the parameters on the request were signed, which makes it easier to validate. In short, I am against anything that requires guessing on the part of the receiver of a request. -- Justin _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
